[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Zeek] : Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE
From: Patrick Kelley <patrick.kelley () criticalpathsecurity ! com>
Date: 2019-03-28 13:55:39
Message-ID: CA+WAcdT06sKGrL_S-f01EO_YEYNiPmcxJ3M2sfeNoyhuNu6qPg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We'll try to crack something out around PTH, if nothing exists already.
We'll post it here when done.
We have the pcaps from the lab and live engagements. Should be able to
knock that out.
On Thu, Mar 28, 2019 at 9:35 AM Fernandez, Mark I <mfernandez@mitre.org>
wrote:
> Alex,
>
>
>
> >> - Is the repository going to be maintain and updated
>
> >> e.g new attacks and categories techniques ?
>
>
>
> To be determined. We may do some small updates in the near future.
> Contributions from the Zeek community are welcome, and I believe we'll be
> able to incorporate community contributions.
>
>
>
> >>- Second isn't possible to detect pth attack throught
>
> >> *bzar_smb.bro ?*
>
>
>
> Pass-the-Hash (pth) was not in the initial scope of the BZAR work. I
> think it would be great to add it, but I haven't done a market survey to
> see if anyone else has already developed pth detection for Zeek.
>
>
>
> Cheers,
>
> Mark
> _______________________________________________
> Zeek mailing list
> zeek@zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley@criticalpathsecurity.com
(o) 770-224-6482
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[Attachment #5 (text/html)]
<div dir="ltr">We'll try to crack something out around PTH, if nothing exists \
already. We'll post it here when done. <div><br></div><div>We have the pcaps \
from the lab and live engagements. Should be able to knock that out. \
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, \
Mar 28, 2019 at 9:35 AM Fernandez, Mark I <<a \
href="mailto:mfernandez@mitre.org">mfernandez@mitre.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_7663365560948226370WordSection1">
<p class="MsoNormal">Alex,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">>> - Is the repository going to be maintain and \
updated<u></u><u></u></p> <p class="MsoNormal">>> e.g new attacks and \
categories techniques ?<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">To be determined. We may do some small updates in the near \
future. Contributions from the Zeek community are welcome, and I believe we'll be \
able to incorporate community contributions.<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">>>- Second \
isn't possible to detect pth attack throught<u></u><u></u></p> <p \
class="MsoNormal">>> <strong><span \
style="font-family:Calibri,sans-serif">bzar_smb.bro \
?</span></strong><u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Pass-the-Hash (pth) was not in the initial scope of the BZAR \
work. I think it would be great to add it, but I haven't done a market survey to \
see if anyone else has already developed pth detection for Zeek.<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Cheers,<u></u><u></u></p>
<p class="MsoNormal">Mark<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><br></div><div><b>Patrick Kelley, CISSP, C|EH, \
ITIL</b></div><div><i>CTO</i></div><div><a \
href="mailto:patrick.kelley@criticalpathsecurity.com" \
target="_blank">patrick.kelley@criticalpathsecurity.com</a></div><div>(o) \
770-224-6482</div><div><br></div><div><i \
style="color:rgb(51,51,51);font-family:Helvetica,Arial,sans-serif">The limit to which \
you have accepted being comfortable is the limit to which you have grown. Accept new \
challenges as an opportunity to enrich yourself and not as a point of potential \
failure.</i><br></div><div><br></div><img \
src="https://drive.google.com/a/criticalpathsecurity.com/uc?id=0B8pLF9KsqY6YVy1zb3FUUkpmTHM&export=download" \
width="200" height="70"><br></div></div></div></div></div></div></div></div></div></div>
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic